WSO2 Identity Server is the Customer Identity and Access Management solution that is part of the big three of WSO2, next to the API Manager and Enterprise Integrator.
In this blog I am going to take a look at the Identity Server’s My Account functionality. This is where the user (not the administrator) can change and maintain their own login information.
Let’s get started with MyAccount in Identity Server 5.11.0
In the latest version a lot has changed, not to mention the look and feel! I will walk you through the options that you now have and the kind of information you can maintain.
Start the product using either the .sh script (mac / Linux) or .bat file (Windows). As you can see am on Windows. After it finishes starting up it will display three URLs:
- Mgt console url: https://localhost:9443/carbon/
- My account url https://localhost:9443/myaccount
- Console url: https://localhost:9443/console
The first is the regular Management UI console that is used to (partly) configure the product. I say partly because a lot is done via the deployment.toml file that governs configuration files. For the (end) user this URL should not be accessible. The third option is the Console URL. This is closely tied to the Management URL and is currently in Beta. It allows configuration like the traditional Management UI and might replace the management UI altogether in upcoming versions.
That leaves of course the My Account URL. That is where we can maintain and change our data.
Logging in is a matter of entering userid and password. Since this is a new install, I only have the admin credentials. But there is an option to Create an Account,
But alas, this is not enabled by default. If I do want to self-register, I need to go and change the setting in the Management UI or Console. If you flip the switch on User Self Registration (to Enabled) and update the settings (button not shown in screenshot) you can self-register.
But before you jump in, the self-registration works with an email that is send to the email you provide. By default, the configuration of email in Identity Server is done using the deployment.toml file. This can be found at [IS-HOME]/repository/conf/deployment.toml. Make changes to use a mail address, mail gateway and password. Restart the Identity Server since the file is only read and parsed at startup. I am using mailtrap.io, please substitute your own mail credentials.
Fill in the details. All these fields are so called claims and can be configured to be mandatory.
And Presto. I’ve received an email and I can now log in
The overview shows the elements / data that we can change or maintain. We can see that we have a number of things that we have not filled in that are optional. Let us fix that.
We will start with the image of the user. I am using a site called thispersondoesnotexist.com that will give you a picture of our tester. We cannot upload any pictures, only link to them. Alternatives are to keep initials or have a gravatar.
I am now at 100% as far as the profile goes.
But there is more
There are three more things we can see when we look at the Personal Info. Export Profile downloads the details in JSON. You get a JSON file with the information about the user.
Linked Accounts
WSO2 IS allows linking multiple accounts that a user has and switching between accounts once the user links their accounts. WSO2 IS also allows to connect a user’s federated user credentials with their WSO2 Identity Server account.
Here I’ve combined tester and admin. I can now switch between the two accounts.
Security
Let us look at the Security possibilities as the third option that we see. Note that the image of our tester changes since it will be retrieved every time a refresh is done. The site we use generates a new image when accessed.
We have the possibility to change a password. What is a bit strange is the requirement to enter the current password. We are already logged in! On the other hand, if you leave the PC unattended, without the password entry someone could change the password.
In case of a forgotten password the administrator of IS can of course reset it but there are also two other possibilities:
- Security questions
- Email recovery
These questions can be changed by the administrator (both language and actual question). The (dummy) answers are in plain text at this moment. Changing the email address updates your record.
However, the recovery is not enabled by default.
In order to enable it, you need to enable the settings either in the Management UI or in the Console. Here you will find a large number of settings with regards to account recovery. I am only showing the first three.
Now we are able to recover. When both security questions are answered, we can reset.
Using email sends out an email to the user.
Multifactor Authentication
In order to add an additional level of security you can add multifactor authentication to the Identity Server. In this case you will need to provide or input a value that is tied to your mobile device or for instance a fido key like Yubico’s keys. This requires some configuration by the administrator in case of the SMS service (you need to configure an SMS gateway / provider) as well as the Authenticator App (also configuring the one you would like to use). The Fido support is out of the box, you simply insert and register a fido key with your account.
Of course, you do need to configure the service providers that you want to enable using the fido keys, like you would SMS and Authenticator as well.
Active IPD sessions show the sessions with the IDP on your account. The consent management page will show the consent you have given to share information. This as an integral part of GDPR support. Consent can be given and revoked.
Admin vs. regular user
Is there a difference between what an admin user sees and what a regular user sees? In previous versions there was a difference because the admin user would see the human tasks (when enabled). In this version approvals / Human tasks are in the console application that is available on
Conclusion
The new My Account functionality offers a fresh look on the user’s data and the possibility to maintain it. The fresh interface gives it a modern feel and the fact that it is only showing the users data makes a lot of sense.
